MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
SHA3-384 hash: bc3e90a5deec6b132741be1365264a40637968e186cbe28311e35802be3f3c3f93685a2fdcdc59c898d88e7006c33f7e
SHA1 hash: db048b176a6f99934f13d1bac90a7918600a0f23
MD5 hash: 0e5a32151bc2d235ca8b57bfd1684f6e
humanhash: failed-queen-winner-nine
File name:SecuriteInfo.com.Trojan.Siggen13.7926.26442.26251
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'193'475 bytes
First seen:2021-04-13 21:37:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18bc6fa81e19f21156316b1ae696ed6b (51 x Formbook, 24 x Loki, 9 x SnakeKeylogger)
ssdeep 24576:zy2Vomx23+VG2+agecnA+23sydrsVWcs4s:zy2SmxA+eage2HSdrsfs4s
Threatray 4'425 similar samples on MalwareBazaar
TLSH AC459ED1B150CCDAE96B49F1BD2BA53024D3BE9C54A4410C56AEBB1B76B3342309FE1E
Reporter SecuriteInfoCom
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen13.7926.26442.26251
Verdict:
Malicious activity
Analysis date:
2021-04-13 21:53:14 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2f30ca47-7d32-434e-be91-cc4e763a5474

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/134005/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.7926.26442.26251.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Setting a keyboard event handler
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/674786
Signature
Allocates memory in foreign processes
Contains functionality to prevent local Windows debugging
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 386332 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 13/04/2021 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected StormKitty Stealer 2->44 46 Yara detected Generic Dropper 2->46 8 SecuriteInfo.com.Trojan.Siggen13.7926.26442.exe 18 2->8         started        process3 file4 26 C:\Users\user\AppData\...\yyky0yh9xnyax.dll, PE32 8->26 dropped 48 Detected unpacking (changes PE section rights) 8->48 50 Detected unpacking (overwrites its own PE header) 8->50 52 Maps a DLL or memory area into another process 8->52 54 Contains functionality to prevent local Windows debugging 8->54 12 SecuriteInfo.com.Trojan.Siggen13.7926.26442.exe 1 7 8->12         started        signatures5 process6 dnsIp7 32 smtp.1and1.com 74.208.5.2, 49717, 587 ONEANDONE-ASBrauerstrasse48DE United States 12->32 56 Writes to foreign memory regions 12->56 58 Allocates memory in foreign processes 12->58 60 Sample uses process hollowing technique 12->60 62 2 other signatures 12->62 16 AppLaunch.exe 5 12->16         started        19 InstallUtil.exe 15 14 12->19         started        22 InstallUtil.exe 2 12->22         started        signatures8 process9 dnsIp10 34 Tries to steal Instant Messenger accounts or passwords 16->34 36 Tries to steal Mail credentials (via file access) 16->36 38 Tries to harvest and steal browser information (history, passwords, etc) 16->38 24 WerFault.exe 20 9 16->24         started        28 api.anonfile.com 45.148.16.46, 443, 49710 OBE-EUROPEObenetworkEuropeSE Sweden 19->28 30 anonfiles.com 172.67.195.139, 443, 49711 CLOUDFLARENETUS United States 19->30 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-04-13 10:55:47 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2j2sp2n3p5b5ojapydm7byednm3tmo57wdg4353xnjkv2xh5wbq._file
Verdict:
unknown
Similar samples:
01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4
QuasarRAT
0f97e6f8d53f551a068c3651d0c684f2813ff870b5cad591d536342aaf46a38f
QuasarRAT
340a639e1ec7cb2afa90a2aba177b368e13efc4dd1313e32af30b6ceb259f7d3
QuasarRAT
4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0
QuasarRAT
4e54f08a98b07f89fe1441642c32d046c37875460aa66d03111b3c6219707842
QuasarRAT
b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
QuasarRAT
ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83
QuasarRAT
d814af14bc2fb8e5a66fd36a327eaadaea29269967ed6af99dc7c9ff3f7b8f28
QuasarRAT
ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292
QuasarRAT
ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
QuasarRAT
+ 4'415 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210413-t9r2lmmx5a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Reads local data of messenger clients
Unpacked files
SH256 hash:
1c8d220052a771eda30d0a58aa4c74a0260595488d4468a57616b20da55be820
MD5 hash:
4f85ab31a81e897315fc38373221023f
SHA1 hash:
3e73f679a385e34e0bd50a20d6db357e455049b7
Link:
https://www.unpac.me/results/0563fed5-0f06-4bac-bdb5-16fb37a4054a/
SH256 hash:
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
MD5 hash:
0e5a32151bc2d235ca8b57bfd1684f6e
SHA1 hash:
db048b176a6f99934f13d1bac90a7918600a0f23
Link:
https://www.unpac.me/results/0563fed5-0f06-4bac-bdb5-16fb37a4054a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_TOOL_PWS_SharpWeb
Create hunting rule
Author:ditekSHen
Description:detects all versions of the browser password dumping .NET tool, SharpWeb.
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/134005/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 08:44:26 UTC

================================================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
================================================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0045] File System Micro-objective::Copy File
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0050] File System Micro-objective::Set File Attributes
11) [C0052] File System Micro-objective::Writes File
12) [E1510] Impact::Clipboard Modification
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
15) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
20) [C0017] Process Micro-objective::Create Process
21) [C0038] Process Micro-objective::Create Thread
22) [C0018] Process Micro-objective::Terminate Process